img {
max-width: 100%;
height: auto;
}

span {
font-weight: bold;
}

p {
line-height: 1.5;
}

ul {
list-style-type: disc;
padding-left: 20px;
}

li {
margin-bottom: 5px;
}

blockquote {
margin-top: 10px;
padding-left: 10px;
border-left: 2px solid #555;
}

Joe Maring / Digital Trends

After its launch in late April 2024, the Rabbit R1 received a mixed bag of reviews. Many reviewers described it as a rather unhelpful gadget that was scarcely more useful than Humane’s AI Pin. Digital Trends’ Joe Maring gave it a mere single star, writing, “The Rabbit R1 was supposed to be one of the hottest AI gadgets of the year. Instead, it’s a complete mess in every imaginable way, plagued by bugs and flaws.”

Adding to the woes, Rabbit is now facing reports of a data breach that may have exposed sensitive user data. Rabbitude, a project dedicated to reverse engineering the Rabbit R1, reported that it managed to gain access to the Rabbit codebase and found several hardcoded API keys within its codes.

Recommended Videos

This isn’t an exhaustive list, but it enables users to do the following:

• Read every response the R1 has ever given, including those that contain personal information.
• Brick all R1s.
• Alter the responses of all R1s.
• Replace every R1’s voice.

It was also revealed that the API keys for several services were exposed, including:

• ElevenLabs (for text-to-speech).
• Azure (for an old speech-to-text system).
• Yelp (for review lookups).
• Google Maps (for location lookups).

Joe Maring / Digital Trends

Rabbitude noted that the API keys for ElevenLabs grant full privileges. These include accessing the history of all past text-to-speech messages, changing voices, adding custom text replacements, deleting voices, and even crashing the rabbitOS backend, effectively bricking all Rabbit R1 devices. However, Rabbit did revoke the ElevenLabs API key, which temporarily disrupted the functionality of the Rabbit devices.

This is a concerning set of permissions for any device, especially considering that it’s an always-on voice-activated AI gadget equipped with cameras. Rabbitude said they reached out to the Rabbit Team, who are aware of the leaked API keys, but they have chosen to ignore the issue, and as of this writing, the API keys are still valid.

all rabbit r1 responses could be read by us for the past month and rabbit knew about it and did nothing to fix it.https://t.co/r6NmhZJY5W

— xyzeva (@xyz3va) June 25, 2024

Endgadget also contacted the company and was confirmed that Rabbit is aware of the “alleged” data breach as of June 25. “Our security team immediately began investigating it,” the company said. “As of now, we have no evidence of customer data being leaked or any compromise to our systems. If we learn of any additional relevant information, we will update once we have more details.”

In terms of security failures, this appears to be a rather serious one. While the Rabbit R1 is a nifty device, it has numerous flaws, and the security issues are significant enough that we strongly suggest that you cease using it, at least for the time being. After all, there’s nothing your $199 Rabbit R1 (with a separate data plan required) can do that your smartphone can’t already do.